docs: update What's New page (2026-04-27)#245
Closed
edspencer wants to merge 42 commits into
Closed
Conversation
Analyzed 8 commits since last check (1114870..1c3f5db): - 4 housekeeping commits (agent state updates) - 2 documentation commits (already addressed gaps) - 1 version bump commit - 1 bug fix commit (Windows path.sep fix) No documentation gaps found. The Windows compatibility fix in commit 31c675c is an internal implementation detail that doesn't require user-facing documentation updates. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 2 commits since last check (1c3f5db..8818ab1): - 1 documentation audit state update (ce7d60e) - 1 engineer agent housekeeping commit (8818ab1) No documentation gaps found. Both commits are internal maintenance (agent state updates) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 3 commits since last check (8818ab1..984faf0): - 2 engineer agent housekeeping commits (1e472a2, 984faf0) - 1 documentation audit state update (65da0b2) No documentation gaps found. All commits are internal maintenance (agent state tracking) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 3 commits since last check (984faf0..20e46a7): - 2 engineer agent housekeeping commits (53fcb3a, 20e46a7) - 1 documentation audit state update (03e0f70) No documentation gaps found. All commits are internal maintenance (agent state tracking) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Status: 🟢 GREEN - Path traversal strengthened, dependencies require triage ## Key Findings - ✅ Path traversal protection strengthened (commit 31c675c) - 🔴 NEW Finding #13: npm dependency vulnerabilities escalated - 2 CRITICAL, 15 HIGH, 24 MODERATE (up from 0/4/4) - Requires immediate triage - ✅ Discord file attachments have comprehensive security controls -⚠️ Finding #12 (web API auth) unchanged - needs documentation -⚠️ Finding #11 (OAuth credentials) unchanged ## Audit Metrics - Commits reviewed: 22 (5f79021..54bff77) - Scanner duration: 7.2 seconds - Security-relevant changes: 6 of 22 commits (27%) - New questions: Q15 (file scanning), Q16 (voice retention) ## Coverage Status All areas current except dependencies (STALE - triage needed) Next audit: ~2026-04-18 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 4 commits since last check (20e46a7..cf053b8): - 2 engineer agent housekeeping commits (54bff77, cf053b8) - 1 security audit commit (c7c4378) - 1 documentation audit state update (e0cddc9) No documentation gaps found. All commits are internal maintenance (agent state tracking and security audit results) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 2 commits since last check (cf053b8..c03edcb): - 1 engineer agent housekeeping commit (c03edcb) - 1 documentation audit state update (2e1923e) No documentation gaps found. All commits are internal agent maintenance and state tracking that don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Committing leftover artifacts from 2026-04-13 audit before running daily audit for 2026-04-14. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Status: YELLOW - Dependency vulnerabilities degraded Key findings: - npm vulnerabilities increased from 41 to 51 (↑10) - 1 critical resolved (2→1) but high/moderate increased - lodash runtime vulnerability in Discord connector (URGENT) - Most new vulnerabilities in Astro docs dependencies (dev-only) - No code changes since last audit (10 administrative commits) Priority actions: 1. Triage lodash vulnerability in Discord connector (24-48h) 2. Update Discord dependencies 3. Document web dashboard localhost-only design (#12) Scanner: 7.1s, FAIL (51 npm vulnerabilities) Commits reviewed: 10 (54bff77..e204320) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Security audit for 2026-04-22 covering 7 commits (e204320..57695ca). **Status:** YELLOW (STABLE - lodash vulnerability now OVERDUE) **Summary:** - Zero code changes (all administrative commits) - Scanner: 8.3s, FAIL (48 vulnerabilities) - Finding #13 escalated to CRITICAL priority - triage 5 days overdue - Finding #12 remains stale (47 days, needs documentation) - Core security controls clean (path-safety, env-handling) **Vulnerability Status:** - 1 CRITICAL: lodash in Discord connector (runtime impact) - 16 HIGH - 31 MODERATE (↑1 from last audit) - Total: 48 vulnerabilities **Critical Action Required:** lodash runtime vulnerability triage was due 2026-04-19, now 5 days overdue. This affects production Discord connector. **Files:** - scans/2026-04-22.json - Scanner output - intel/2026-04-22.md - Detailed intelligence report - summaries/2026-04-22-summary.md - Executive summary - STATE.md - Updated audit state - intel/FINDINGS-INDEX.md - Updated finding status Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Security audit for 2026-04-23 covering 3 commits (57695ca..0e6f094). **Status:** YELLOW (STABLE - lodash vulnerability 6 days overdue) **Summary:** - Zero code changes (all administrative commits) - Scanner: 8.1s, FAIL (53 vulnerabilities) - Finding #13 degraded - npm vulnerabilities increased 48→53 total (+5 moderate) - Finding #13 CRITICAL priority - lodash triage 6 days overdue (was due 2026-04-19) - Finding #12 remains stale (48 days, needs documentation) - Core security controls clean (path-safety, env-handling) **Vulnerability Status:** - 1 CRITICAL: lodash in Discord connector (runtime impact) - 16 HIGH - 36 MODERATE (↑5 from last audit) - Total: 53 vulnerabilities **Critical Action Required:** lodash runtime vulnerability triage was due 2026-04-19, now 6 days overdue. This affects production Discord connector. No remediation progress in 12 days since discovery. **Files:** - scans/2026-04-23.json - Scanner output - intel/2026-04-23.md - Detailed intelligence report - summaries/2026-04-23-summary.md - Executive summary - STATE.md - Updated audit state - intel/FINDINGS-INDEX.md - Updated finding status Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add changelog entry for Windows path traversal fix from @mblua. Analyzed 45 commits since last update (6053872..d2e616e). Found 1 user-facing change: - Windows path separator bug fix preventing all state file operations on Windows Updated agents/changelog/state.md with new commit position and run history. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
📝 WalkthroughWalkthroughIncremental updates to automated agent state tracking files (changelog, documentation audit, engineer status) advancing to late April 2026 with synchronized timestamps. Security audit infrastructure expanded with new findings tracking ( Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Deploying herdctl with
|
| Latest commit: |
53ec7ba
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://3b8496d0.herdctl.pages.dev |
| Branch Preview URL: | https://changelog-auto-update-2026-0-39ld.herdctl.pages.dev |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 11
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
agents/security/scans/2026-04-17-scanner.json (1)
1-19:⚠️ Potential issue | 🟠 Major
*.jsonartifact is not valid JSONLine 1–Line 19 contain plaintext stack-trace output, so this file cannot be parsed as JSON. That will break any pipeline expecting structured scan artifacts.
Suggested fix
-node:internal/modules/cjs/loader:1386 - throw err; - ^ -... -Node.js v22.22.0 +{ + "status": "error", + "error": { + "code": "MODULE_NOT_FOUND", + "message": "Cannot find module '/opt/herdctl/agents/security/tools/scanner.js'", + "runtime": "node", + "version": "v22.22.0" + }, + "raw_log": "node:internal/modules/cjs/loader:1386\\n throw err;\\n ^\\n..." +}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@agents/security/scans/2026-04-17-scanner.json` around lines 1 - 19, The artifact contains a plaintext Node.js stack trace (error code "MODULE_NOT_FOUND", missing '/opt/herdctl/agents/security/tools/scanner.js', Node.js v22.22.0) so the file is not valid JSON; replace the plaintext with a well-formed JSON object (e.g., { "tool":"scanner", "status":"error", "errorCode":"MODULE_NOT_FOUND", "message":"Cannot find module /opt/herdctl/agents/security/tools/scanner.js", "stack":"<full stack trace>", "nodeVersion":"22.22.0", "timestamp":"<ISO8601>" }) so downstream consumers can parse it, ensure proper escaping of the stack string and run a JSON linter to validate before committing.
🧹 Nitpick comments (4)
agents/security/intel/2026-04-11.md (1)
160-169: Add language specifier to code block.The code block showing the download path pattern and validation logic would benefit from a TypeScript language specifier for better syntax highlighting.
💅 Optional: Add language identifier
-``` +```typescript {workingDir}/{download_dir}/{messageUUID}/{attachmentId}-{filename}And similarly for the validation block: ```diff -``` +```typescript .refine((v) => !v.includes("..") && !v.startsWith("/"), { message: "download_dir must be a relative path without '..' segments", })</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In
@agents/security/intel/2026-04-11.mdaround lines 160 - 169, Add TypeScript
language specifiers to the two code blocks: the path pattern block containing
"{workingDir}/{download_dir}/{messageUUID}/{attachmentId}-{filename}" and the
validation block that calls .refine((v) => !v.includes("..") &&
!v.startsWith("/"), { message: "download_dir must be a relative path without
'..' segments", }), so both blocks render with TypeScript syntax highlighting
(i.e., prepend "typescript" at the start and close with "").</details> </blockquote></details> <details> <summary>agents/engineer/conversations.md (1)</summary><blockquote> `13-150`: **Consider archiving older entries to maintain readability.** The log now contains 20+ nearly identical daily housekeeping entries. While each entry serves its purpose, the file's own documentation (lines 9) mentions archiving when approaching ~20,000 tokens. At 3500 tokens, you're well below the threshold, but the repetitive nature of these entries could impact readability. <details> <summary>💡 Optional: Consider archiving entries older than 30 days</summary> Since the entries from early April (2026-04-02 through 2026-04-08) provide minimal unique value compared to more recent entries, you could move them to `conversations-archive.md` to keep this file more focused on recent activity. This is purely optional and aligns with the archiving strategy already mentioned in the file header. </details> <details> <summary>🤖 Prompt for AI Agents</summary> ``` Verify each finding against the current code and only fix it if needed. In `@agents/engineer/conversations.md` around lines 13 - 150, The file contains many repetitive "Daily housekeeping - state file maintenance" entries that reduce readability; please archive older, low-value daily entries (e.g., the repeated 2026-04-02 through 2026-04-08 blocks) into a new conversations-archive.md and replace them in conversations.md with a single summary line or consolidated monthly summary under the same "Daily housekeeping - state file maintenance" heading; create the archive file, move the raw dated entries there (keeping timestamps intact), add a one-line pointer in conversations.md to the archive, and update the file header note about archiving if needed. ``` </details> </blockquote></details> <details> <summary>agents/security/summaries/2026-04-22-summary.md (1)</summary><blockquote> `132-137`: **Specify language for fenced code block.** The vulnerability trend code block should specify a language identifier for proper syntax highlighting and accessibility. <details> <summary>✨ Proposed improvement</summary> ```diff -``` +```text 2026-03-06: 8 total (0 crit, 4 high, 4 mod) 2026-04-11: 41 total (2 crit, 15 high, 24 mod) ↑33 vulnerabilities 2026-04-17: 51 total (1 crit, 16 high, 30 mod, 4 low) ↑10 vulnerabilities 2026-04-22: 48 total (1 crit, 16 high, 31 mod) ↓3 (scanner variance) ``` </details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In
@agents/security/summaries/2026-04-22-summary.mdaround lines 132 - 137, The
fenced code block showing the vulnerability trend lacks a language tag; update
the block in the "vulnerability trend" section (the triple-backtick block
containing the date lines like "2026-03-06: 8 total ...") to include a
language identifier such as text (e.g., ```text) so markdown renderers and
accessibility tools correctly treat and highlight it.</details> </blockquote></details> <details> <summary>agents/security/summaries/2026-04-23-summary.md (1)</summary><blockquote> `150-155`: **Specify language for fenced code block.** The vulnerability trend code block should specify a language identifier for proper syntax highlighting and accessibility. <details> <summary>✨ Proposed improvement</summary> ```diff -``` +```text 2026-04-11: 41 total (2 crit, 15 high, 24 mod) [Discovery] 2026-04-17: 51 total (1 crit, 16 high, 30 mod) [↑10 - Degraded] 2026-04-22: 48 total (1 crit, 16 high, 31 mod) [↓3 - Stable] 2026-04-23: 53 total (1 crit, 16 high, 36 mod) [↑5 - Degraded] ``` </details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In
@agents/security/summaries/2026-04-23-summary.mdaround lines 150 - 155, Add
a language identifier to the fenced code block that contains the vulnerability
trend in agents/security/summaries/2026-04-23-summary.md by changing the opening
triple backticks to include "text" (i.e., ```text) so the block is properly
marked for syntax highlighting/accessibility; locate the block showing the dated
lines (2026-04-11 through 2026-04-23) and update only the opening fence.</details> </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against the current code and only fix it if needed.
Inline comments:
In@agents/docs/state.md:
- Line 11: Update the stale "Last Updated" timestamp value (the "Last
Updated: 2026-04-26" entry) to match the documented run date (2026-04-27) so
all timestamps in this document are consistent; search for the "Last Updated"
string and any other occurrences of 2026-04-26 in this file (including the
run/date entries referenced elsewhere) and replace them with 2026-04-27 to avoid
audit-state mismatch.In
@agents/security/intel/2026-04-23.md:
- Around line 135-138: The "Open Questions:" header total is inconsistent with
the breakdown; update the header or the lists so the summed counts match: either
change the header count from "10 total" to "11 total" or remove/relocate one
question from the listed groups so the breakdown equals 10; adjust the lines
showing the grouped questions (the lines listing "Medium priority: Q1, Q4, Q5,
Q7, Q8, Q13, Q15" and "Low priority: Q9, Q10, Q11, Q16") accordingly so the
header and the enumerated items (Q1–Q16) are consistent.- Around line 158-163: The fenced code block containing the date lines
("2026-04-11: 41 total..." through "2026-04-23: 53 total...") is missing a
language tag; update the opening triple-backtick to include a language (e.g.,MD040. In `@agents/security/intel/FINDINGS-INDEX.md`: - Line 10: The document incorrectly labels the lodash triage as "6 days overdue" when the deadline 2026-04-19 to current date 2026-04-23 is 4 days; update all occurrences of the overdue phrasing—e.g., "triage 6 days overdue", "6 days overdue (deadline was 2026-04-19)", "6 days past deadline", "6 DAYS OVERDUE", and "6 days OVERDUE"—to "4 days" (or "4 DAYS" where casing matches) in FINDINGS-INDEX.md so the arithmetic matches the stated dates. In `@agents/security/scans/history.txt`: - Around line 1-2: The two history rows use different delimiters which breaks parsing: change the second entry ("2026-04-13 c03edcb FAIL 7720ms 6-checks 2-fail 2-warn 2-pass (npm-vulns-unresolved)") to match the pipe-delimited schema used by the first row ("2026-04-11 | 54bff77 | 7.2s | FAIL | 2 critical, 15 high, 24 moderate npm vulns; path traversal strengthened | GREEN"); ensure fields follow the same order (date | commit | duration | status | vuln/notes | tag) and use " | " between each field so all history rows are consistently pipe-delimited for programmatic parsing. In `@agents/security/STATE.md`: - Line 25: The STATE.md entry for the lodash triage incorrectly reports the overdue period as "6 days" (deadline 2026-04-19, current 2026-04-23) — update every textual occurrence that refers to that overdue span so it reads "4 days" instead; specifically replace strings like "6 days", "6 days OVERDUE", "6 DAYS", and "6 days overdue" when they refer to the lodash triage/incremental audit (the "Last incremental audit" / lodash vulnerability entries) so the document consistently shows a 4-day overdue period. In `@agents/security/summaries/2026-04-13-summary.md`: - Around line 109-113: The low-priority section header currently reads "**Low Priority (3):**" but the bullet list contains four items (Q9, Q10, Q11, Q16); update the header to "**Low Priority (4):**" so the count matches the items (or remove one of the listed questions if you intended three); specifically edit the heading text in agents/security/summaries/2026-04-13-summary.md near the "**Low Priority (3):**" token to reflect the correct count and verify no other summaries reference this inconsistent count. In `@agents/security/summaries/2026-04-22-summary.md`: - Line 26: Update the incorrect overdue count in the status string "**Status:** OPEN - DEGRADED - **TRIAGE OVERDUE BY 5 DAYS**" to reflect the actual difference between the deadline and report date (2026-04-19 → 2026-04-22 = 3 days); replace "5" with "3" (or, if this value is generated, fix the calculation that produces the overdue number so it computes report_date - deadline correctly) and ensure the updated value matches the existing "3 days OVERDUE" text elsewhere in the document. In `@agents/security/summaries/2026-04-23-summary.md`: - Line 16: The document incorrectly calculates the lodash triage overdue period as "6 days" between deadline 2026-04-19 and report date 2026-04-23; locate and replace all occurrences of the phrases "6 days OVERDUE", "6 DAYS OVERDUE", "6 days ago", and "6 days overdue" (as seen in the diff) with "4 days" (or "4 DAYS" where uppercase is used) so every reference to the overdue period reflects the correct 4-day interval. In `@agents/security/summaries/latest.md`: - Line 1: latest.md currently contains an absolute, stale path "/opt/herdctl/agents/security/summaries/2026-04-13-summary.md"; update the link in agents/security/summaries/latest.md to a relative, portable reference to the newest summary (e.g., "2026-04-23-summary.md") or to a relative "summary-latest.md" file so it doesn't use host-specific /opt paths and always points to the most recent summary. In `@docs/src/content/docs/whats-new.md`: - Line 10: Change the heading "Windows Path Traversal Fix" from level 3 to level 2 to fix the markdownlint heading-level jump; locate the heading line with the text "Windows Path Traversal Fix" (currently prefixed by "###") and replace the prefix with "##" (or add an intermediate "##" section above it) so the headings increment correctly. --- Outside diff comments: In `@agents/security/scans/2026-04-17-scanner.json`: - Around line 1-19: The artifact contains a plaintext Node.js stack trace (error code "MODULE_NOT_FOUND", missing '/opt/herdctl/agents/security/tools/scanner.js', Node.js v22.22.0) so the file is not valid JSON; replace the plaintext with a well-formed JSON object (e.g., { "tool":"scanner", "status":"error", "errorCode":"MODULE_NOT_FOUND", "message":"Cannot find module /opt/herdctl/agents/security/tools/scanner.js", "stack":"<full stack trace>", "nodeVersion":"22.22.0", "timestamp":"<ISO8601>" }) so downstream consumers can parse it, ensure proper escaping of the stack string and run a JSON linter to validate before committing. --- Nitpick comments: In `@agents/engineer/conversations.md`: - Around line 13-150: The file contains many repetitive "Daily housekeeping - state file maintenance" entries that reduce readability; please archive older, low-value daily entries (e.g., the repeated 2026-04-02 through 2026-04-08 blocks) into a new conversations-archive.md and replace them in conversations.md with a single summary line or consolidated monthly summary under the same "Daily housekeeping - state file maintenance" heading; create the archive file, move the raw dated entries there (keeping timestamps intact), add a one-line pointer in conversations.md to the archive, and update the file header note about archiving if needed. In `@agents/security/intel/2026-04-11.md`: - Around line 160-169: Add TypeScript language specifiers to the two code blocks: the path pattern block containing "{workingDir}/{download_dir}/{messageUUID}/{attachmentId}-{filename}" and the validation block that calls .refine((v) => !v.includes("..") && !v.startsWith("/"), { message: "download_dir must be a relative path without '..' segments", }), so both blocks render with TypeScript syntax highlighting (i.e., prepend "```typescript" at the start and close with "```"). In `@agents/security/summaries/2026-04-22-summary.md`: - Around line 132-137: The fenced code block showing the vulnerability trend lacks a language tag; update the block in the "vulnerability trend" section (the triple-backtick block containing the date lines like "2026-03-06: 8 total ...") to include a language identifier such as text (e.g., ```text) so markdown renderers and accessibility tools correctly treat and highlight it. In `@agents/security/summaries/2026-04-23-summary.md`: - Around line 150-155: Add a language identifier to the fenced code block that contains the vulnerability trend in agents/security/summaries/2026-04-23-summary.md by changing the opening triple backticks to include "text" (i.e., ```text) so the block is properly marked for syntax highlighting/accessibility; locate the block showing the dated lines (2026-04-11 through 2026-04-23) and update only the opening fence.🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID:
f84c4254-71b8-438a-9924-36786af75a95📒 Files selected for processing (21)
agents/changelog/state.mdagents/docs/state.mdagents/engineer/conversations.mdagents/engineer/state.mdagents/security/STATE.mdagents/security/intel/2026-04-11.mdagents/security/intel/2026-04-17.mdagents/security/intel/2026-04-22.mdagents/security/intel/2026-04-23.mdagents/security/intel/FINDINGS-INDEX.mdagents/security/scans/2026-04-17-scanner.jsonagents/security/scans/2026-04-22.jsonagents/security/scans/2026-04-23.jsonagents/security/scans/history.txtagents/security/summaries/2026-04-11-summary.mdagents/security/summaries/2026-04-13-summary.mdagents/security/summaries/2026-04-17-summary.mdagents/security/summaries/2026-04-22-summary.mdagents/security/summaries/2026-04-23-summary.mdagents/security/summaries/latest.mddocs/src/content/docs/whats-new.md
| # Documentation Audit State | ||
|
|
||
| **Last Updated:** 2026-03-13 | ||
| **Last Updated:** 2026-04-26 |
Contributor
There was a problem hiding this comment.
Last Updated date is stale relative to this run
Line 11 shows 2026-04-26, but this file records a run on 2026-04-27 (Line 3 / Line 23). Please align these timestamps to avoid audit-state confusion.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/docs/state.md` at line 11, Update the stale "Last Updated" timestamp
value (the "**Last Updated:** 2026-04-26" entry) to match the documented run
date (2026-04-27) so all timestamps in this document are consistent; search for
the "Last Updated" string and any other occurrences of 2026-04-26 in this file
(including the run/date entries referenced elsewhere) and replace them with
2026-04-27 to avoid audit-state mismatch.
Comment on lines
+135
to
+138
| **Open Questions:** 10 total | ||
| - Medium priority: Q1, Q4, Q5, Q7, Q8, Q13, Q15 (7 questions) | ||
| - Low priority: Q9, Q10, Q11, Q16 (4 questions - Q11, Q16 partially answered) | ||
|
|
Contributor
There was a problem hiding this comment.
Open-question totals are inconsistent
Line 135 says 10 total, but Line 136 (7) + Line 137 (4) equals 11. Please align the header/count breakdown so audit tracking stays accurate.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/intel/2026-04-23.md` around lines 135 - 138, The "Open
Questions:" header total is inconsistent with the breakdown; update the header
or the lists so the summed counts match: either change the header count from "10
total" to "11 total" or remove/relocate one question from the listed groups so
the breakdown equals 10; adjust the lines showing the grouped questions (the
lines listing "Medium priority: Q1, Q4, Q5, Q7, Q8, Q13, Q15" and "Low priority:
Q9, Q10, Q11, Q16") accordingly so the header and the enumerated items (Q1–Q16)
are consistent.
Comment on lines
+158
to
+163
| ``` | ||
| 2026-04-11: 41 total (2 crit, 15 high, 24 mod) | ||
| 2026-04-17: 51 total (1 crit, 16 high, 30 mod, 4 low) | ||
| 2026-04-22: 48 total (1 crit, 16 high, 31 mod) | ||
| 2026-04-23: 53 total (1 crit, 16 high, 36 mod) [↑5 moderate] | ||
| ``` |
Contributor
There was a problem hiding this comment.
Add a language to the fenced code block
The code fence starting at Line 158 has no language tag, which will fail markdownlint MD040.
Suggested fix
-```
+```text
2026-04-11: 41 total (2 crit, 15 high, 24 mod)
2026-04-17: 51 total (1 crit, 16 high, 30 mod, 4 low)
2026-04-22: 48 total (1 crit, 16 high, 31 mod)
2026-04-23: 53 total (1 crit, 16 high, 36 mod) [↑5 moderate]</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 158-158: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/intel/2026-04-23.md` around lines 158 - 163, The fenced code
block containing the date lines ("2026-04-11: 41 total..." through "2026-04-23:
53 total...") is missing a language tag; update the opening triple-backtick to
include a language (e.g., ```text) so the block becomes a labeled code fence and
satisfies markdownlint MD040.
| | 012 | **HIGH** | **Web API lacks authentication** | 2026-03-06 | 🔴 OPEN - Document localhost-only | packages/web/src/server/routes/chat.ts | | ||
| | 011 | **MEDIUM** | **OAuth credential management - risk elevated** | 2026-02-20 | 🟡 YELLOW - Session exposure risk | container-manager.ts + session files | | ||
| | 010 | Medium | bypassPermissions in job files (22 files) | 2026-02-12 | 🟡 YELLOW - Retention needed | .herdctl/jobs/*.yaml | | ||
| | 013 | **HIGH** | **npm dependency vulnerabilities (OVERDUE)** | 2026-04-11 | 🔴 OPEN - triage 6 days overdue | dependencies | |
Contributor
There was a problem hiding this comment.
Correct the overdue day calculation throughout the document.
The document consistently states that the lodash triage is "6 days overdue" with a deadline of 2026-04-19 and current date of 2026-04-23. However, the actual overdue period is 4 days (2026-04-19 to 2026-04-23 = 4 days), not 6 days.
This arithmetic error appears in multiple locations:
- Line 10: "triage 6 days overdue"
- Line 280: "6 days overdue (deadline was 2026-04-19)"
- Line 319: "6 days overdue"
- Line 328: "6 days past deadline"
- Line 340: "6 DAYS OVERDUE"
- Line 391: "6 days OVERDUE"
📐 Proposed fix for arithmetic errors
Replace all instances of "6 days" with "4 days" throughout the document where referring to the overdue period from the 2026-04-19 deadline as of 2026-04-23.
Also applies to: 276-341, 390-391
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/intel/FINDINGS-INDEX.md` at line 10, The document incorrectly
labels the lodash triage as "6 days overdue" when the deadline 2026-04-19 to
current date 2026-04-23 is 4 days; update all occurrences of the overdue
phrasing—e.g., "triage 6 days overdue", "6 days overdue (deadline was
2026-04-19)", "6 days past deadline", "6 DAYS OVERDUE", and "6 days OVERDUE"—to
"4 days" (or "4 DAYS" where casing matches) in FINDINGS-INDEX.md so the
arithmetic matches the stated dates.
Comment on lines
+1
to
+2
| 2026-04-11 | 54bff77 | 7.2s | FAIL | 2 critical, 15 high, 24 moderate npm vulns; path traversal strengthened | GREEN | ||
| 2026-04-13 c03edcb FAIL 7720ms 6-checks 2-fail 2-warn 2-pass (npm-vulns-unresolved) |
Contributor
There was a problem hiding this comment.
History row format is inconsistent across entries
Line 1 is pipe-delimited, but Line 2 uses a different space-delimited schema. If this file is parsed programmatically, this inconsistency can corrupt scan-history ingestion.
Suggested fix
-2026-04-13 c03edcb FAIL 7720ms 6-checks 2-fail 2-warn 2-pass (npm-vulns-unresolved)
+2026-04-13 | c03edcb | 7.7s | FAIL | 6 checks: 2 fail, 2 warn, 2 pass (npm-vulns-unresolved) | YELLOW🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/scans/history.txt` around lines 1 - 2, The two history rows
use different delimiters which breaks parsing: change the second entry
("2026-04-13 c03edcb FAIL 7720ms 6-checks 2-fail 2-warn 2-pass
(npm-vulns-unresolved)") to match the pipe-delimited schema used by the first
row ("2026-04-11 | 54bff77 | 7.2s | FAIL | 2 critical, 15 high, 24 moderate npm
vulns; path traversal strengthened | GREEN"); ensure fields follow the same
order (date | commit | duration | status | vuln/notes | tag) and use " | "
between each field so all history rows are consistently pipe-delimited for
programmatic parsing.
Comment on lines
+109
to
+113
| **Low Priority (3):** | ||
| - Q9: Rate limiting on triggers | ||
| - Q10: MCP security model | ||
| - Q11: GitHub SSRF (confirmed) | ||
| - Q16: Voice transcription retention |
Contributor
There was a problem hiding this comment.
Low-priority question count is off by one
Line 109 says (3), but Line 110–Line 113 list 4 questions. Please make the count and list consistent.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/summaries/2026-04-13-summary.md` around lines 109 - 113, The
low-priority section header currently reads "**Low Priority (3):**" but the
bullet list contains four items (Q9, Q10, Q11, Q16); update the header to "**Low
Priority (4):**" so the count matches the items (or remove one of the listed
questions if you intended three); specifically edit the heading text in
agents/security/summaries/2026-04-13-summary.md near the "**Low Priority (3):**"
token to reflect the correct count and verify no other summaries reference this
inconsistent count.
|
|
||
| ### 🔴 Finding #013 - npm Dependency Vulnerabilities (OVERDUE) | ||
| **Severity:** HIGH | ||
| **Status:** OPEN - DEGRADED - **TRIAGE OVERDUE BY 5 DAYS** |
Contributor
There was a problem hiding this comment.
Correct the overdue day calculation.
Line 26 states the triage is "OVERDUE BY 5 DAYS," but line 37 in the same document correctly states "3 days OVERDUE" (deadline: 2026-04-19, report date: 2026-04-22).
From 2026-04-19 to 2026-04-22 = 3 days, not 5 days.
📐 Proposed fix
-**Status:** OPEN - DEGRADED - **TRIAGE OVERDUE BY 5 DAYS**
+**Status:** OPEN - DEGRADED - **TRIAGE OVERDUE BY 3 DAYS**📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| **Status:** OPEN - DEGRADED - **TRIAGE OVERDUE BY 5 DAYS** | |
| **Status:** OPEN - DEGRADED - **TRIAGE OVERDUE BY 3 DAYS** |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/summaries/2026-04-22-summary.md` at line 26, Update the
incorrect overdue count in the status string "**Status:** OPEN - DEGRADED -
**TRIAGE OVERDUE BY 5 DAYS**" to reflect the actual difference between the
deadline and report date (2026-04-19 → 2026-04-22 = 3 days); replace "5" with
"3" (or, if this value is generated, fix the calculation that produces the
overdue number so it computes report_date - deadline correctly) and ensure the
updated value matches the existing "3 days OVERDUE" text elsewhere in the
document.
| **Key Findings:** | ||
| - Zero security-relevant code changes (all commits administrative) | ||
| - npm vulnerabilities increased: 48→53 total (+5 moderate) | ||
| - lodash critical vulnerability now 6 days OVERDUE for triage (deadline: 2026-04-19) |
Contributor
There was a problem hiding this comment.
Correct the overdue day calculation throughout the document.
The document consistently states that the lodash triage is "6 days overdue" with a deadline of 2026-04-19 and report date of 2026-04-23. However, the actual overdue period is 4 days (2026-04-19 to 2026-04-23 = 4 days), not 6 days.
This arithmetic error appears in multiple locations:
- Line 16: "6 days OVERDUE"
- Line 39: "6 DAYS OVERDUE"
- Line 42: "6 days ago"
- Line 164: "6 DAYS OVERDUE"
- Line 221: "6 days overdue"
📐 Proposed fix for arithmetic errors
Replace all instances of "6 days" with "4 days" throughout the document where referring to the overdue period from the 2026-04-19 deadline.
Also applies to: 39-42, 164-164, 221-221
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/summaries/2026-04-23-summary.md` at line 16, The document
incorrectly calculates the lodash triage overdue period as "6 days" between
deadline 2026-04-19 and report date 2026-04-23; locate and replace all
occurrences of the phrases "6 days OVERDUE", "6 DAYS OVERDUE", "6 days ago", and
"6 days overdue" (as seen in the diff) with "4 days" (or "4 DAYS" where
uppercase is used) so every reference to the overdue period reflects the correct
4-day interval.
| @@ -0,0 +1 @@ | |||
| /opt/herdctl/agents/security/summaries/2026-04-13-summary.md No newline at end of file | |||
Contributor
There was a problem hiding this comment.
latest.md points to an older and non-portable target
Line 1 points to 2026-04-13-summary.md via an absolute /opt/... path. That is both stale (newer 2026-04-23 summary exists in this PR) and host-specific.
Suggested fix
-/opt/herdctl/agents/security/summaries/2026-04-13-summary.md
+agents/security/summaries/2026-04-23-summary.md📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| /opt/herdctl/agents/security/summaries/2026-04-13-summary.md | |
| agents/security/summaries/2026-04-23-summary.md |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/summaries/latest.md` at line 1, latest.md currently contains
an absolute, stale path
"/opt/herdctl/agents/security/summaries/2026-04-13-summary.md"; update the link
in agents/security/summaries/latest.md to a relative, portable reference to the
newest summary (e.g., "2026-04-23-summary.md") or to a relative
"summary-latest.md" file so it doesn't use host-specific /opt paths and always
points to the most recent summary.
|
|
||
| --- | ||
|
|
||
| ### Windows Path Traversal Fix |
Contributor
There was a problem hiding this comment.
Fix heading level jump for markdownlint compliance
Line 10 uses ### directly; lint expects the next heading level to increment by one. Use ## here (or add an intermediate ## section heading).
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 10-10: Heading levels should only increment by one level at a time
Expected: h2; Actual: h3
(MD001, heading-increment)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/src/content/docs/whats-new.md` at line 10, Change the heading "Windows
Path Traversal Fix" from level 3 to level 2 to fix the markdownlint
heading-level jump; locate the heading line with the text "Windows Path
Traversal Fix" (currently prefixed by "###") and replace the prefix with "##"
(or add an intermediate "##" section above it) so the headings increment
correctly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Daily changelog update for 2026-04-27. Analyzed 45 commits since the last update on 2026-03-13, finding 1 user-facing change to document:
Changes
agents/changelog/state.mdwith latest commit position (d2e616e) and run historyCommits Analyzed
Reviewed all commits from 6053872 (2026-03-13) to d2e616e (2026-04-27). Most were automated housekeeping commits. The only user-facing change was the Windows compatibility fix in PR #210.
Test plan
Generated with Claude Code
Summary by CodeRabbit
Bug Fixes
New Features
Security